We are a small development firm looking to access the following services remotely:

http

smb network shares

rdc / vnc

Currently we do this with a lot of ssh tunnels. We are looking into switching to a vpn solution, which hopefully should have less client side setup needed like setting up host files etc.

We would like full name resolution (wins/netbios and dns) as if we were attached to the office network.

Is OpenVPN the right tool for the job? It seems as though using open vpn in "bridged" mode will give us all we want.

What are the pros and cons of bridged mode vs. routed mode?
How does OpenVPN compare to other sorts of vpn solutions (ipsec, pptp, cisco)?
Will OpenVPN play nicely with other vpn clients? Would we be able to use multiple (different vendor) vpn clients simultanouesly?

5 Answers
5

We would like full name resolution (wins/netbios and dns) as if we were attached to the office network.

Bridged mode will allow you to place your external clients onto the network as if they were there physically. You can push DHCP addresses out to them to ensure that they have the correct name resolution settings.

How does OpenVPN compare to other sorts of vpn solutions (ipsec, pptp, cisco)?

OpenVPN is a doddle to setup and use. Passes through firewalls quite happily. There is the same free server and client software available for all major operating systems.

By [my slightly jaded] contrast:

IPsec

Fiddly to setup.

A lot of server and client implementations available but none behave quite the same way.

Has trouble traversing some networks.

Cisco

Just IPsec under the hood. See above.

Okay if you manage lots of Cisco devices in those locations today.

Only works with Cisco devices and their licensed client.

PPTP

Somewhat hackish implementation based on PPP and GRE.

Largely only popular because it was easy to setup from Windows.

Lacks solid encryption routines of it's own.

Has trouble traversing some networks.

Will OpenVPN play nicely with other vpn clients? Would we be able to use multiple (different vendor) vpn clients simultanouesly?

I'd reccomend OpenVPN in bridged mode for the clients. Use routed mode to connect two networks. You still need to ship keys etc. to the clients, but we built a shell script that makes a .zip that you just give to the user.

The great advantage of openvpn is that it works through all routers as it doesn't use an unusual IP packet type. IPsec and pptp suffer from this. I don't have experience of Cisco's vpn.

Nobody else has mentioned it yet -- unlike commercial VPN products, you don't have "different vendor VPN clients" with OpenVPN. All of OpenVPN is open source, so people just port OpenVPN to whatever platform needs support. So you only have one OpenVPN client -- THE OpenVPN client. No vendor games to make your live unpleasant.

If You plan to deploy any serious VPN in enterprise You'll have to deploy a CA infrastructure. OpenVPN and IPSec both require it. It is not complex, but its security should not be overlooked.

Also, ask Yourself what sort of firewalls You expect in the middle? IPsec works over UDP which may not be available from certain locations, like home networks with nat. But it is supported at OS level by Windows.

OpenVPN has been a breeze to set up most of times and can be set up to work on port 80 tcp for extra connectivity, but requires installation and maintenance of another app. Also, if You will want to bridge some subnets over VPN and You want hardware routers to do that, they will not support OpenVPN, but will support IPSec.

To cut it short, use VPN if You are an SMB and just want Your end-users to connect from home. Use IPSec if You are a blooming enterprise (and switch to IPv6) :)